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IN THE UNITED STATES DISTRICT COURT 
FOR THE DISTRICT OF COLUMBIA 


UNITED STATES OF AMERICA, 
Plaintiff, 
v. 

FACEBOOK INC., 

Defendant. 


No. l:19-cv-02184 


UNOPPOSED MOTION FOR LEAVE TO FILE A BRIEF OF THE 
ELECTRONIC PRIVACY INFORMATION CENTER (EPIC) AS 
AMICUS CURIAE IN OPPOSITION TO THE MOTION TO 
APPROVE CONSENT JUDGMENT 


Proposed amicus curiae. Electronic Privacy Information Center (“EPIC”), respectfully 
moves this Court under LCvR 7(o) for leave to file a brief in opposition to the consent motion to 
approve consent judgment by the United States. ECF No. 2. In support of this motion, EPIC 
states as follows: 

1. EPIC previously filed a motion to intervene “or, in the alternative, for leave to file an 
amicus curiae brief in opposition to the proposed Consent Decree of the parties,” and for other 
relief on July 26, 2019. EPIC Mot., ECF No. 5. The Court has not yet ruled on EPIC’s motion. 

2. The United States and Facebook filed oppositions to EPIC’s Motion on August 5, 2019, 
but both parties specified that they took “no position” on EPIC’s request to file an amicus brief. 
U.S. Br. 4, ECF No. 11; Facebook Br. 1, ECF No. 12. EPIC reached out to both parties again 
prior to filing this motion, pursuant to LCvR 7(m), and both parties again confirmed that they 
take no position (and thus do not oppose) EPIC’s motion to file an amicus brief. 
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3. On September 12, 2019, the Center for the Legalization of Privacy filed an unopposed 
motion for leave to file an amicus brief. ECF No. 17. The Court subsequently issued a Minute 
Order later that day, granting the Motion and ordering the group to file its amicus curiae brief by 
October 15, 2019. 

4. EPIC seeks, through this motion, to file an amicus curiae brief on the same date this 
Court has previously set for the filing of a brief amicus curiae in this matter. 

5. This motion to file as amicus curiae is not a waiver of, nor does it supersede, EPIC’s 
pending motion of July 26, 2019 to intervene. 

6. EPIC is a public interest research center in Washington, D.C. EPIC was established in 
1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First 
Amendment, and other constitutional values. 

7. EPIC has a unique interest in this case because EPIC, along with a coalition of consumer 
protection organizations, brought the complaints that led to the 2012 Federal Trade Commission 
(“FTC”) Consent Order against Facebook (“2012 Consent Order”). EPIC Mot., Ex. 1, ECF No. 
5-2. Since 2012, EPIC has filed five detailed complaints with the Commission regarding 
Facebook’s business practices, alleging violations of the 2012 Consent Order. All of these 
complaints, as well as many similar complaints brought to the Commission by consumer and 
privacy organizations representing the interests of Facebook users, would be extinguished by the 
proposed consent decree that the FTC and Facebook have submitted to this Court for review. 

8. An amicus brief from EPIC is desirable in this case because EPIC is uniquely situated to 
address the fairness, adequacy, and reasonableness of the parties’ proposed consent decree. For 
more than a decade, EPIC has brought forward evidence to the Federal Trade Commission 
concerning the business practices of Facebook that impact the privacy interests of users of the 
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company’s services. EPIC has discussed these issues in complaints to the Commission, 
testimony to Congress, and articles in journals and national publications. No other group is as 
well positioned as EPIC to speak to the adequacy of this settlement. 

9. EPIC’s position is not adequately represented by either party in this matter because both 
parties have agreed to the proposed consent decree. 

10. EPIC’s arguments are relevant to the disposition of this case because the Court must 
assess the adequacy and fairness of the settlement before it rules on the parties’ consent motion. 

For these reasons, EPIC asks this Court to grant EPIC’s motion and file the attached 
proposed amicus brief. 

Respectfully Submitted, 

MARC ROTENBERG, D.C. Bar #422825 
EPIC President and Executive Director 

/s/ Alan Butler _ 

ALAN BUTLER, D.C. Bar #1012128 
EPIC Senior Counsel 

CHRISTINE BANNAN, D.C. Bar #888273762 
EPIC Consumer Protection Counsel 

ELECTRONIC PRIVACY INFORMATION CENTER 
1519 New Hampshire Ave., N.W. 

Washington, D.C. 20036 
(202) 483-1140 (telephone) 

(202) 483-1248 (facsimile) 

Attorneys for Amicus Curiae EPIC 

Dated: October 15, 2019 
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INTEREST OF THE AMICUS 

The Electronic Privacy Information Center is a public interest research center in 
Washington, D.C. EPIC was established in 1994 to focus public attention on emerging civil 
liberties issues and to protect privacy, the First Amendment, and other constitutional values. 

EPIC frequently litigates cases in the D.C. Circuit concerning emerging privacy and civil 
liberties issues. See, e.g., EPIC Amicus Brief, Attias v. Carefirst, Inc. 865 F.3d 620 (D.C. Cir. 
2017) (arguing that data breach victims have sufficiently alleged an injury-in-fact redressable by 
a court and for standing to sue); EPIC v. FTC, 844 F. Supp. 2d 98 (D.D.C. 2012) (alleging that 
the Federal Trade Commission failed to enforce a consent order against Google after the 
company materially changed its business practices concerning user privacy). 

From 2009 to 2011, EPIC and a coalition of consumer organizations pursued several 
complaints with the Federal Trade Commission, alleging that Facebook had changed user 
privacy settings and disclosed the personal data of users to third parties without the consent of 
users. See EPIC Mot, Exs. 1-3, ECF Nos. 5-2, 5-3, 5-4. EPIC conducted extensive research and 
documented the instances of Facebook overriding the users’ privacy settings to reveal personal 
information and to disclose, for commercial benefit, user data, and the personal data of friends 
and family members, to third parties without their knowledge or affirmative consent. Id. 

In response to the complaints, the FTC launched an extensive investigation into 
Facebook’s policies and practices. The FTC and issued a Preliminary Order against Facebook in 

2011 and then a Final Order in 2012. Agreement Containing Consent Order, In re: Facebook, 
Inc. (2011); See Decision and Order, In re: Facebook, FTC No. 092-3184, Dkt. No. C-4365, 

2012 WL 3518628, at 4 (July 27, 2012) [hereinafter “2012 Consent Order”]. Under the 2012 
Consent Order, Facebook is prohibited from making any future misrepresentations about the 
privacy and security of a user’s personal infonnation, requires Facebook to establish a 
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comprehensive privacy program, requires Facebook to remove user information within thirty 
days after a user deletes an account, requires Facebook to obtain a user’s express consent before 
enacting changes its data sharing methods, and requires Facebook to have an independent 
privacy audit every two years. 2012 Consent Order, supra, § 5. 

The Commission made clear EPIC’s role in the establishment of the 2012 Consent Order, 
which is the legal basis of the proposed settlement now before this Court. In announcing the 
proposed Consent Order, the Commission stated that “Facebook’s privacy practices were the 
subject of complaints filed with the FTC by the Electronic Privacy Infonnation Center and a 
coalition of consumer groups.” Press Release, Fed. Trade Comin’n, Facebook Settles FTC 
Charges That It Deceived Consumers by Failing to Keep Privacy Promises (Nov. 29, 2011). 1 

Since 2012, EPIC has filed five detailed complaints with the Commission regarding 
Facebook’s business practices, alleging violations of the Consent Order. See EPIC Mot., Exs. 6- 
10, ECF No. 5. All of these complaints, as well as many similar complaints brought to the 
Commission by consumer and privacy organizations representing the interests of Facebook 
users, would be extinguished by the proposed consent decree that the FTC and Facebook have 
submitted. 

In 2014, EPIC submitted a complaint to the FTC concerning Facebook's manipulation of 
users’ News Feeds for psychological research. Complaint, In re Facebook, Inc. (July 3, 2014), 
EPIC Mot., Ex. 6, ECF No. 5-7. EPIC argued that Facebook had “altered the News Feeds of 
Facebook users to elicit positive and negative emotional responses.” Id. at 1. EPIC further 
alleged that the researchers “failed to follow standard ethical protocols for human subject 
research” and that Facebook violated Section 5 of the FTC Act when it did not get users’ 

1 http://www.ftc.gov/opa/2011/11/privacysettlement.shtm. 
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permission to conduct this study or notify users that their data would be disclosed to researchers. 
Id. These allegations have not been addressed by the FTC. 

Also in 2014, EPIC and the Center for Digital Democracy filed a complaint urging the 
Commission to block Facebook’s proposed acquisition of WhatsApp, a competing messaging 
service, warning that Facebook would seek to acquire the personal data of WhatsApp users. 
Complaint, In re WhatsApp, Inc. (Mar. 6, 2014), EPIC Mot., Ex. 7, ECF No. 5-8. In 2016, after 
the merger had been approved, WhatsApp announced its plans to transfer users’ personal 
information to Facebook, including their phone numbers, for Facebook to use for targeted 
advertising. Looking Ahead for WhatsApp, WhatsApp Blog (Aug. 25, 2016). 2 EPIC and CDD 
filed a complaint with the FTC opposing the transfer of WhatsApp user data to Facebook and 
arguing that the proposed policy changes violated Section 5 of the FTC Act. Complaint, In re 
WhatsApp, Inc. (Aug 29, 2016), EPIC Mot., Ex. 8, ECF No. 5-9. These allegations have not been 
addressed by the FTC. 

In 2018, EPIC and a coalition of consumer privacy organizations filed a complaint with 
the Federal Trade Commission charging that Facebook's facial recognition practice lacked 
privacy safeguards and violated the 2012 Consent Order with the Commission. Complaint, In re 
Facebook, Inc. and Facial Recognition (Apr. 6, 2018), EPIC Mot., Ex. 9, ECF No. 5-10. As 
EPIC explained in its complaint, in early 2018, Facebook began routinely scanning photos, 
posted by users, for biometric facial matches without the consent of either the image subject or 
the person who uploaded the photo. Id. EPIC and consumer groups requested that “the 
Commission investigate Facebook, enjoin the deployment of additional facial recognition 
techniques as a violation of the 2011 Consent Order, and require Facebook to modify its 

2 https://blog.whatsapp.com/10000627/Looking-ahead-for-WhatsApp. 
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biometric data practices to protect the privacy of Facebook users and non-users.” Id. at 38. These 
allegations have not been addressed. 

Perhaps most significantly in 2018, EPIC along with sixteen consumer organizations sent 
a statement to the FTC, urging the Commission to investigate the unprecedented disclosure of 
personal data in the Facebook Cambridge Analytica scandal, practices that were subject to the 
FTC’s authority under the 2012 Consent Order. The organizations wrote: “On behalf of leading 
consumer privacy organizations in the United States, we urge you to immediately investigate 
whether Facebook’s alleged disclosure of the personal data of 50 million Americans to the data 
mining firm Cambridge Analytica violated the FTC Consent Order with Facebook we helped 
obtain.” Letter from EPIC et al. to Maureen Ohlhausen, Acting Chainnan, FTC, and Terrell 
McSweeney, Commissioner, FTC (Mar. 20, 2018), EPIC Mot., Ex. 10, ECF No. 5-11. One week 
later, the FTC announced it would reopen the investigation of Facebook. Press Release, Fed. 
Trade Comrn’n, Statement by the Acting Director of FTC’s Bureau of Consumer Protection 
Regarding Reported Concerns About Facebook Privacy Practices (Mar. 26, 2018). 3 

These actions and complaints pursued by EPIC and others on behalf of Facebook users 
are directly relevant to the Court’s consideration of the FTC’s proposed Consent Decree with 
Facebook. But even the actions of EPIC and the associated organizations do not describe the full 
range of public interest in this matter. More than 29,000 consumer complaints about Facebook 
are currently pending at the Commission, and the number of complaints against the company has 
been doubling annually. FOIA Request from EPIC to FTC (Mar. 13, 2019). 4 In 2018 alone, the 
FTC received 8,391 consumer complaints about Facebook, nearly twice the number received in 

3 https://www.ftc.gov/news-events/press-releases/2018/03/statement-acting-director-ftcs-bureau- 
consumer-protection. 

4 https://epic.org/foia/ftc/facebook/EPIC-19-03-13-FTC-FOIA-20190313-Request.pdf. 
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2016 (4,612), and more than four times the number received in 2014 (1,860). FTC Response to 
EPIC FOIA Request (Apr. 2, 2019). 5 The FTC received 3,156 complaints between April 1, 2019 
and September 3, 2019. FTC Response to EPIC FOIA Request (September 20, 2019). 6 


5 https://epic.org/foia/ftc/facebook/EPIC-19-03-13-FTC-FOIA-20190402-Complaint-Number- 
Breakdown.pdf. 

6 https://epic.org/foia/ftc/facebook/EPIC-19-07-25-FTC-FOIA-20190920-Production-Letter.pdf. 
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SUMMARY OF THE ARGUMENT 

The FTC’s proposed Consent Decree with Facebook largely mirrors the preexisting 
Consent Order from 2012. There are few new obligations on the company that would limit the 
collection and use of personal data, nor will there be any significant changes in business 
practices. This is almost unimaginable given the extensive evidence of ongoing privacy 
violations by the company, documented by EPIC and other consumer privacy organizations, as 
well as the more than 29,000 complaints against Facebook currently pending at the Commission. 
The Commission also seems entirely unconcerned by Facebook’s planned integration of the 
personal data of WhatsApp users even though this would violate representations both firms 
previously made to the Commission. 

The FTC’s settlement with Facebook is not fair and not adequate. The settlement 
releases Facebook from liability for past violations that are not addressed or even identified in 
the complaint, and the settlement does not impose meaningful changes to Facebook’s business 
practices. The Court should reject the settlement and remand the case to the agency for further 
consideration. 

ARGUMENT 

This Court should not adopt the proposed Consent Decree because the parties have not 
established that it would be fair, adequate, reasonable, appropriate, or consistent with the public 
interest. The D.C. Circuit has held that a court reviewing a consent decree “must satisfy itself of 
the settlement’s ‘overall fairness to beneficiaries and consistency with the public interest.’” 
Citizens for a Better Env ’tv. Gorsuch, 718 F.2d 1117, 1126 (D.C. Cir. 1983) (quoting United 
States v. Trucking Emp’rs, Inc., 561 F.2d 313, 317 (D.C. Cir. 1977)). A court analyzing a 
proposed consent decree must ensure that the settlement is: (1) “both procedurally and 
substantively fair;” (2) “adequate, reasonable, and appropriate” “from an objective point of 
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view,” focusing “on the extent to which the decree is confined to the dispute between the parties 
and whether the decree adequately accomplishes its purported goal;” and (3) “consistent with the 
public interest.” Appalachian Voices v. McCarthy , 38 F. Supp. 3d 52, 55-57 (D.D.C. 2014). 

The FTC-Facebook settlement does not satisfy any of the three requirements. First, the 
settlement is neither procedurally or substantively fair, as it grants broad immunity to Facebook 
for known and unknown violations of law, runs counter to the Federal Trade Commission’s 
procedural mandate to review consumer complaints, and does not further the interests of 
corrective justice and accountability. By releasing Facebook from liability for actions far beyond 
those described in the FTC complaint, extinguishing all 29,000 pending consumer complaints 
under the 2012 Consent Order, the settlement violates the fundamental concepts of procedural 
and substantive fairness. Second, the proposed Consent Decree is not adequate, reasonable, or 
appropriate because it does not achieve its purpose of protecting the privacy of Facebook users. 
The settlement does little more than restate the existing 2012 Consent Order requirements and 
add internal paperwork requirements; it does not create new privacy obligations or curtail 
Facebook’s data collection and disclosure practices. Finally, the proposed settlement is clearly 
not in the public interest, as it leaves consumer complaints unaddressed while still failing to 
ensure consumer privacy on Facebook. 

I. The proposed settlement is both procedurally and substantively unfair and must be 
rejected due to the expansive and vague release of liability granted by the FTC to 
Facebook. 

This Court cannot approve the Commission’s proposed consent decree until it has 
“satisfied itself of the settlement’s ‘overall fairness to beneficiaries and consistency with the 
public interest. ’” In re Idaho Conservation League, 811 F.3d 502, 515 (D.C. Cir. 2016). As 
courts in this Circuit have explained, 
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A review of the fairness of a proposed consent decree requires an assessment of the 
good faith of the parties, the opinions of the counsel, and the possible risks involved 
in litigation if the settlement is not approved. United States v. Hooker Chem. & 
Plastics Corp., 607 F. Supp. 1052, 1057 (W.D.N.Y.), aff’d, 776 F.2d 410 (2d Cir. 

1985). “Fairness incorporates both procedural and substantive components.” 

United States v. Telluride Co., 849 F. Supp. 1400, 1402 (D. Colo. 1994). An 
assessment of procedural fairness involves looking “to the negotiating process and 
attempt[ing] to gauge its candor, openness, and bargaining balance.” Id. A consent 
decree that is substantively fair incorporates “concepts of corrective justice and 
accountability: a party should bear the cost of hann for which it is legally 
responsible.” Id. (quoting United States v. Cannons Eng’g Corp., 899 F.2d 79, 87 
(1st Cir. 1990)). 

United States v. District of Columbia, 933 F. Supp. 42, 48 (D.D.C. 1996). The courts role is 
ultimately to “evaluate whether the settlement was a fair resolution of the claims actually 
asserted” and “fairly resolves the controversy in a manner consistent with the public interest.” Id. 
at 52; see also Massachusetts v. Microsoft Corp., 373 F.3d 1199, 1206 n. 1 (D.C. Cir. 2004). 

The settlement is substantively unfair because it does not adequately address Facebook’s 
unfair and deceptive business practices described in the Complaint. See, supra Section I. But the 
settlement is also both procedurally and substantively unfair because the FTC proposes to give 
Facebook immunity from indeterminate future claims that the company violated the 2012 
Consent Order, or that the company violated Section 5, prior to June 12, 2019. Stip. Order 1, 

ECF No. 2-1. The proposed release is so vague, and the scope of immunity Facebook would gain 
is so indeterminately broad, that the Court should reject it as procedurally unfair. The settlement 
and underlying negotiation process is not sufficiently “open” if members of the public, who the 
FTC is charged with protecting, have no way of knowing what future enforcement authority the 
agency has given up. The release also fatally undermines the “concepts of corrective justice and 
accountability” that are key to a substantively fair settlement. United States v. District of 
Columbia, 933 F. Supp. at 48. 

The United States’ proposed stipulated order states that: 
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The parties have consented to entry of this Stipulated Order to resolve any and all 
claims that Defendant, its officers, and directors, prior to June 12, 2019, violated 
the Commission’s Decision and Order in In re Facebook, Inc., C-4365, 2012 FTC 
LEXIS 135 (F.T.C. July 27, 2012). Furthermore, this Stipulated Order resolves all 
consumer-protection claims known by the FTC prior to June 12, 2019, that 
Defendant, its officers, and directors violated Section 5 of the FTC Act. 

Stip. Order 1, ECF No. 2-1. The FTC is thus proposing to release Facebook from two separate 

sets of claims. First, the Commission would release Facebook from “any and all claims” that the 

Company violated the 2012 Consent Order prior to June 12. Id. This would apparently grant 

immunity from FTC enforcement for any prior violations of the 2012 Order, whether known or 

unknown at the time of the settlement, and whether or not the underlying conduct was actually 

discussed or identified in the Complaint. Second, the Commission would release Facebook from 

“all consumer-protection claims known by the FTC” prior to June 12. This would apparently 

grant immunity from FTC enforcement for any Section 5 or other related violations prior to June 

12, whether or not the conduct was actually discussed or identified in the Complaint, so long as 

the activity was “known” to the Commission. 

This incredibly broad release of claims in the proposed settlement raises more questions 

than it answers, and it is not clear how it would be judicially enforceable or how this Court could 

issue such an order. As Commissioner Rohit Chopra explained in his dissenting opinion “The 

release of Section 5 violations is considerably broader than it may sound, and leaves major 

questions unanswered.” Dissenting Statement of Commissioner Rohit Chopra, In re Facebook, 

Inc., FTC File No. 1823109, at 17 (July 24, 2019) [hereinafter Chopra Dissent]. 7 The settlement 

does not define what it means for a violation to be “known,” nor does it define the scope of 

“consumer-protection” claims. Id. Does the release immunize Facebook from claims that it 


7 https://www.ftc.gov/system/files/documents/public_statements/1536911/chopradissenting 
statement_on_facebook_7-24-19.pdf. 
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violated the Children’s Online Privacy Protection Act (“COPPA”) prior to June 12 based on 
conduct that was described to the FTC in a consumer complaint? The plain text of the Stipulated 
Order indicates yes, but the FTC has not provided sufficient information to know for sure. And 
what about unknown violations of Section 5 that also violate the 2012 Consent Order? Again, the 
plain text would indicate yes and the FTC has not provided any further clarification. 

Procedural fairness requires, at a minimum, that the Commission actually address all of 
the violations that it claims to resolve in a settlement. While the Court is not permitted to “reach 
beyond the complaint to evaluate claims that the government did not make,” neither should the 
FTC be allowed relieve Facebook of future liability for consumer complaints the Commission 
did not pursue. United States v. District of Columbia, 933 F. Supp. at 49. No one can fairly 
evaluate the propriety of a settlement whose terms are indeterminate; not the FTC, not the Court, 
and certainly not the public. Indeed, it is not even clear that such an agreement would be 
enforceable against a future FTC. See Nat’I Audubon Soc’y, Inc. v. Watt, 678 F.2d 299, 305 
(D.C. Cir. 1982) (noting that the question of whether a government agency can “bind its 
successors in the exercise of policymaking discretion” is a “novel and far reaching” one with no 
clear answer). 

There is simply no way that the settlement can be procedurally fair where the 
Commission releases a company from liability for actions that it does not describe, identify, or 
pursue. Over 29,000 consumer complaints about Facebook are currently pending at the 
Commission, and the number of complaints against the company has been doubling annually. 
FTC Response to EPIC FOIA Request (September 20, 2019). 8 If the Commission intends to 
foreclose the investigation of all these potential violations by Facebook, then it would need to 

8 https://epic.org/foia/ftc/facebook/EPIC-19-07-25-FTC-FOIA-20190920-Production-Letter.pdf. 
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actually describe them and address them in the settlement. The FTC has not done so, and the 
settlement should be rejected on that basis alone. 

The broad release of liability is also substantively unfair because it runs counter to the 
purpose of “corrective justice and accountability” that underlies the Commission’s enforcement 
authority. United States v. District of Columbia, 933 F. Supp. at 49. As Commissioner Chopra 
noted, “Allowing blanket immunity for unknown claims effectively rewards Facebook for not 
proactively disclosing its failures, even as the company is still not admitting those failures.” 
Chopra Dissent, supra at 18. Not only is such a broad release unjustified, it appears 
unprecedented. As Commissioner Slaughter explained in her dissenting opinion, the broad 
release is “unsupported by either precedent or sound public policy. To the contrary, in every 
recent major federal settlement, if there was a liability release, it was cabined to the offenses 
described in the complaint.” Dissenting Statement of Commissioner Rebecca Slaughter, In re 
Facebook, Inc., FTC File No. 1823109, at 14 (July 24, 2019) [hereinafter Slaughter Dissent]. 9 
Indeed, as she points out, in other settlements that included a liability release, “those releases 
were accompanied by admissions of civil or criminal liability, which is entirely different from a 
settlement that explicitly disclaims liability.” Slaughter Dissent, supra, at 15. 

Facebook should not be rewarded for its misdeeds. As Commissioner Slaughter notes, 
“Hardly a week passes without a news story revealing some potentially illegal conduct by 
Facebook.” Id. The fact that Facebook has engaged in unfair and deceptive data collection 
processes in the past and has been the subject of tens of thousands of complaints at the 
Commission indicates that corrective justice and accountability would not be served by granting 


9 https://www.ftc.gov/system/fdes/documents/public_statements/1536918/182_3109_slaughter_ 
statement_on_facebook_7-24-19.pdf. 


11 



Case l:19-cv-02184-TJK Document 24-1 Filed 10/16/19 Page 16 of 28 


the company a broad release from future liability. The Commission should be preserving its 
ability to police Facebook’s future misdeeds, not disclaiming authority to investigate violations 
of Section 5 and of the 2012 Consent Order. 

II. The settlement does not meaningfully change Facebook’s business practices or 

correct the violations of Section 5 and the 2012 Consent Order. 

Courts cannot approve a proposed consent decree that is not “adequate, reasonable, and 
appropriate,” and the Court’s assessment of the adequacy of a settlement must “focus on the 
extent to which the decree . . . adequately accomplishes its purported goal.” United States v. 
MTU America Inc., 105 F. Supp. 3d 60, 63 (D.D.C. 2015). The FTC’s consent decree in this case 
would not achieve its “purported goal” because the proposed relief does not require meaningful 
changes in Facebook’s business practices or establish new privacy protections for Facebook 
users. Instead, the settlement simply carries forward the 2012 Consent Order and with no new 
meaningful limits on the collection and use of personal data or any recognition of Facebook’s 
plan to ingest the data of WhatsApp users in violations of representations both firms previously 
made to the Commission. 

A. The injunctive relief is not adequate to protect Facebook users. 

Many of the substantive provisions simply repeat the tenns of the 2012 Consent Order 
and do not impose new meaningful obligations on Facebook. When a company violates an FTC 
Order, the Commission should impose new restrictions that will remedy the core problems and 
avoid future harm. But instead of reforming Facebook’s data collection practices and imposing 
new privacy obligations, the FTC’s enforcement action “places no meaningful restrictions on 
Facebook’s ability to collect, share, and use personal information. Instead, the order allows 
Facebook to evaluate for itself what level of user privacy is appropriate, and holds the company 
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accountable only for producing those evaluations. What it does not require is actually respecting 
user privacy.” Chopra Dissent, supra, at 12. 

None of the injunctive provisions in the settlement meaningfully restrict Facebook’s 
privacy practices. The settlement begins with Prohibition Against Misrepresentation, which is 
nothing more than a standard term in FTC Consent Orders that mirrors Section 5 itself. Stip. 
Order 5, ECF No. 2. There is nothing in this section that alters the company’s business practices 
or establishes new privacy safeguards for users of its services. 

Next the settlement outlines Changes to Sharing of Nonpublic User Information. Stip. 
Order5-6. Facebook is already required under the 2012 Consent Order to disclose its data use 
policies and obtain users’ affirmative consent before disclosing a user’s nonpublic information to 
a third party. This provision is simply cut-and-paste from the 2012 Consent Order. See 2012 
Consent Order, supra, at 4. 

The next section of the settlement, Deletion of Information, Stip. Order 6, is almost cut- 
and-pasted from the 2012 Consent Order. See 2012 Consent Order, supra, at 5. The only change 
is the addition of a single paragraph that requires Facebook to delete from its servers, or to de- 
identify, data “within a reasonable period of time (not to exceed 120 days) from the time that the 
User has deleted such information, or his or her account.” Stip. Order 6. In other words, it 
requires Facebook to actually delete data that users believed would be deleted. And it gives the 
company almost four months to accomplish the task. 

This is not a new requirement. It is simply a restatement that Facebook cannot actively 
deceive users by retaining data that users believe they have deleted. Indeed, the settlement might 
facilitate further deception because it allows Facebook to retain data that users believe they have 
deleted, so long as the data is de-identified. But deletion and deidentification are distinct 
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concepts. With deidentification there is always the risk of reidentification, particularly where 
there is no third-party auditing to assess the adequacy of the deidentification technique. See, e.g., 
Latanya Sweeney, Matching Known Patients to Health Records in Washington State Data (June 
5, 2013). 10 If a user has chosen to delete her data, the Commission should have required 
Facebook to, in fact, delete the data. 

Next the settlement includes a short paragraph on Limitations on the Use or Sharing of 
Telephone Numbers Specifically Provided to Enable Account Security Features. Stip. Order 7. 
This is simply re-stating a deceptive practice that Facebook engaged in, and requiring the 
company to not do it again. It does not serve the interests of “corrective justice and 
accountability” to tell a company that has deceived its users not to deceive its users again in the 
same way. If the settlement’s injunctive relief only focuses on past violations then it does not 
serve the purpose of protecting consumers from future violations. 

This case concerns the misuse of personal data acquired by Facebook. In enforcing the 
2012 Consent Order, the Federal Trade Commission should have ensured that the company 
would follow widely recognized standards for the collection and use of personal data. Facebook 
should be required to comply with all of the Fair Information Practices (“FIPs”), including the 
principle “There must be a way for a person to prevent infonnation about the person that was 
obtained for one purpose from being used or made available for other purposes without the 
person's consent.” EPIC, Code of Fair Information Practices (2019). 11 Here, Facebook asked for 
user phone numbers to enable security features—two-factor authentication, password recovery, 
and login alerts—and proceeded to use those numbers for ad targeting. Compl. f 13, ECF No. 1. 


10 https://ssm.com/abstract=2289850. 

11 https://epic.org/privacy/consumer/code_fair_info.html. 
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Facebook certainly acted deceptively and violated the purpose-limitation FIP when it used two- 
factor authentication data. But limiting the injunctive relief to prohibit that one violation is not 
adequate to accomplish the FTC’s goal of protecting Facebook users. 

The 2019 settlement provision concerning Facial Recognition Templates, Stip. Order 8, 
is much too little, far too late. EPIC first filed a complaint concerning Facebook’s use of facial 
identification technology back in 2011. EPIC Complaint, Request for Investigation, Injunction, 
and Other Relief, In re: Facebook (June 10, 2011). 12 EPIC’s complaint included 34 pages of 
detailed factual and legal analysis of the unfair and deceptive nature of Facebook’s use of facial 
recognition to profile users without their consent. Id. EPIC also discussed Facebook’s unlawful 
deployment of facial recognition technology at length in the comments filed in response to the 
Commission’s release of the proposed Consent Order in 2011. EPIC, Comments to the Fed. 

Trade Comrn’n, In re Facebook, Inc., FTC File No. 092 3184 (Dec. 27, 2011). 13 More recently, 
EPIC filed a new 40-page complaint with a coalition of Consumer Privacy Groups in 2018, 
detailing further violations of Section 5 and of the 2012 Consent Order. Consumer Privacy 
Groups’ Complaint, Request for Investigation, Injunction, and Other Relief, In re Facebook 
(Apr. 6, 2018). 14 

The Consumer Privacy Groups’ 2018 Complaint provided extensive detail about 
Facebook’s deployment of facial recognition over the last 10 years, including the use of facial 
recognition data for “tag suggestions” without user knowledge or consent, the continuation of the 
company’s unlawful practices after the 2012 Consent Order, the company’s development of 
“DeepFace” technology to analyze user photos, and the company’s failure to be transparent 

12 https://epic.org/privacy/facebook/EPIC_FB_FR_FTC_Complaint_06_10_l 1 .pdf. 

13 https://epic.org/privacy/facebook/Facebook-FTC-Settlement-Comments-FINAL.pdf. 

14 https://epic.org/privacy/facebook/FTC-Facebook-FR-Complaint-04062018.pdf. 
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about how it was collecting and using this sensitive biometric data. Id. The Consumer Privacy 
Groups’ 2018 Complaint also explained that other countries have directly limited how Facebook 
and other companies can collect, use, and disclose facial recognition data; Facebook’s business 
practices are illegal in many countries. Id. at 33. 

And now the FTC seeks to dispose of all facial recognition-related claims in the United 
States with a single paragraph in the settlement. Stip. Order 8. Eight years after EPIC filed the 
first complaint at the FTC concerning Facebook and facial recognition; with thousands of related 
complaints that stacked up over the years; and with decisions by many data protection officials 
outside of the United States to suspend the use of facial recognition. Consumer Privacy Groups’ 
Complaint, In re: Facebook, supra, at 33. All that the FTC would require Facebook to do is 
create a pop-up notification and require its users to click accept. Id. The FTC settlement does not 
require Facebook to delete existing facial recognition templates; it allows Facebook to retain that 
user data after obtaining affirmative express consent. 

Facebook should not be pennitted to retain and use the data that it obtained in violation of 
the 2012 Consent Order. This allows Facebook to enrich itself with data acquired using 
deceptive tactics. A Consent Decree should deter future wrongdoing, but this settlement 
condones it. As long as Facebook gets consent after collecting biometric data, it faces no 
penalties. The FTC settlement does not even address the scope of user consent or whether 
services can be restricted for users who do not agree to give up their facial recognition data. 

The FTC settlement provision on facial recognition raises more questions than it answers. 
Does Facebook only have to show the notification once for each user? Can a user’s account be 
limited if they refuse to accept Facebook’s use of facial recognition? What about individuals who 
do not have Facebook accounts but whose images are uploaded to Facebook? The FTC was 
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given more than 70 pages of factual and legal analysis identifying the repeated violations of 
consumers’ rights by Facebook’s facial recognition program. The one-paragraph notice-and- 
choice response in the settlement is patently inadequate to address this important and complex 
issue. 

The majority of the FTC settlement concerns Facebook’s creation of a Mandated Privacy 
Program, Stip. Order 8-12, the “independent” assessments of that program, id. at 12-14, 
reporting of certain privacy “incidents,” id. at 14, and Facebook’s internal governance and 
reporting, id. at 14-17. But the mandated privacy program is not meaningfully different than the 
program already required under the existing consent decree. See 2012 Consent Order, supra, at 
5-6. There is no reason to believe this will be any more effective at preventing privacy abuses. 

Likewise, the Independent privacy program assessments were also required under the 
2012 Consent Order, but are meaningless without vigorous enforcement by FTC. The first 
assessment in 2013 identified a significant issue that the FTC never pursued—that Facebook 
didn’t assess service providers’ compliance with the company’s Data Use Policies. Kevin 
Martin, Vice President, U.S. Public Policy, Facebook, Letter to Senator Ron Wyden (Oct. 10, 

2018). 15 As PwC noted, “[tjhere is limited evidence retained to demonstrate that Facebook 
monitored or assessed the service provider’s compliance with Facebook’s Data Use Policies. 
Lack of comprehensive monitoring makes it more difficult to detect inappropriately implemented 
privacy settings within these third-party developed applications.” Id. That finding was redacted 
in the version of the assessment EPIC obtained through a Freedom of Information Act request. 
PricewaterhouseCoopers, Independent Assessor’s Report on Facebook’s Privacy Program: 
Initial Assessment Report for the Period Aug. 15, 2012 to Feb. 11, 2013, (reprocessed version 

15 https://www.wyden.senate.gov/imo/media/doc/Untitled.pdf. 
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released June 26, 2018). 16 Yet the FTC took no action to address Facebook’s lax privacy 
practices after reviewing the assessment. The FTC settlement simply extends the assessment 
requirement from the 2012 Order, and does not make changes necessary to ensure that the 
assessments will be available to the public, that they will actually provide independent oversight, 
or that they will result in meaningful changes in Facebook’s business practices. 

The Mandated independent privacy committee and other governance matters do not 
establish the necessary means of independent oversight to safeguard the rights of users of the 
services. That is the responsibility of the Federal Trade Commission. 

B. The FTC has the authority to change Facebook’s business and data collection 
practices. 

Under Section 5(1) of the FTC Act, 45 U.S.C. § 45(1), the Commission has broad 
authority to take remedial action for violations of its Consent Orders. Given that Facebook has 
repeatedly violated the terms of the 2012 Consent Order in ways that impact the majority of the 
American public and show no signs of curtailing their data collection practices, and given the 
company’s massive size and influence over American consumers, the FTC should restructure the 
company and impose new data protection obligations on Facebook in line with the Fair 
Infonnation Practices. 

The Code of Fair Information Practices(“FIPs”) sets out rights and responsibilities in the 
collection and use of personal data. EPIC, Code of Fair Information Practices. The FIPs are the 
starting point for all modem privacy law and were incorporated into the Privacy Act of 1974. 
Marc Rotenberg, Fair Information Practices and the Architecture of Privacy, 2001 Stan. Tech. L. 
Rev. 1. The FIPs have also been incorporated into other privacy laws and frameworks across the 


16 https://epic.org/foia/FTC/facebook/EPIC-18-03-20-FTC-FOIA-20180626-FB-Assessment- 
2013.pdf 
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world, such as the Organization for Economic Cooperation and Development (“OECD”) Privacy 
Guidelines, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal 
Data, 17 and the European Commission’s Data Protection Regulation. Regulation (EU) 2016/679, 
of the European Parliament and the Council of 27 April 2016 on the protection of natural persons 
with regard to the processing of personal data and on the free movement of such data, and 
repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1 at arts. 
22, 13, 14, 15. 

EPIC has repeatedly urged the FTC to incorporate the FIPs into the Commission’s 
Consent Decrees and ensure that companies abide by their data protection obligations. See, e.g., 
EPIC, Comments to the FTC re: Draft Strategic Plan for Fiscal Years 2018 to 2022 (Dec. 5, 
2017); 18 Letter from EPIC et al. to Chairman Joe Simons and Members of the Federal Trade 
Commission (Jan. 24, 2019). 19 The FTC should require Facebook to comply with FIPs for all 
uses of personal data across all services for all of its companies; compliance with the FIPs 
mandate should be ensured through independent audits, public reporting, and routine inspection 
by the FTC. But the FTC has failed to exercise its authority as needed to protect Facebook users. 

The FTC has also failed to address Facebook’s unlawful acquisition and integration of 
user data. Facebook has breached the commitments that it made to the Commission in 2014 
regarding the protection of WhatsApp user data. Fed. Trade Comm’n, FTC Notifies Facebook, 
WhatsApp of Privacy Obligations in Light of Proposed Acquisition (Apr. 10, 2014); 20 Sheera 
Frenkel & Cade Metz, WhatsApp Co-Founder Leaving Facebook Amid User Data Disputes, 


17 http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_l_l_l_l,00.html. 

18 https://www.ftc.gov/system/fdes/documents/public_comments/2017/12/00009-142478.pdf. 

19 https://epic.org/privacy/facebook/201 l-consent-order/US-NGOs-to-FTC-re-FB-Jan-2019.pdf 

20 https://www.ftc.gov/news-events/press-releases/2014/04/ftc-notifies-facebook-whatsapp- 
privacy-obligations-light-proposed. 
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N.Y. Times (Apr. 30, 2018). 21 EPIC, along with the Center for Digital Democracy, filed a 
complaint urging the Commission to block Facebook’s acquisition of WhatsApp in 2014. EPIC 
Mot., Ex. 7, ECF No. 5-8. In 2016, after the merger had been approved, WhatsApp announced its 
plans to transfer users’ personal information to Facebook, including their phone numbers, for 
Facebook to use for targeted advertising. Looking Ahead for WhatsApp, WhatsApp Blog (Aug. 
25, 2016). EPIC and CDD then again tiled a complaint with the FTC opposing the transfer of 
WhatsApp user data to Facebook and arguing that the proposed policy changes violated Section 
5 of the FTC Act. EPIC Mot., Ex. 8, ECF No. 5-9. Yet the FTC has done nothing to protect 
WhatsApp users. 

As EPIC’s Marc Rotenberg recently explained, “If the FTC had stood behind its 
commitment to protect the data of WhatsApp users, there might still be an excellent messaging 
service, with end-to-end encryption, no advertising and minimal cost, widely loved by internet 
users around the world. But the FTC failed to act and one of the great internet innovations has 
essentially disappeared.” Marc Rotenberg, The Facebook-Whatsapp Lesson: Privacy Protection 
Necessary for Innovation, Techonomy (May 4, 2018). As this occurred after the 2012 Consent 
Order, the FTC should require Facebook to unwind the acquisition of both WhatsApp and 
Instagram. See Tim Wu, The Curse of Bigness: Antitrust in the New Guilded Age 132-33 (2018). 
The companies should be reestablished as an independent entities and Facebook should be 
required to disgorge the personal data unlawfully it acquired. This restructuring is necessary to 
restore competition and innovation for Internet messaging and photo app services, two important 
goals for the future of the Internet economy. 


21 https://www.nytimes.com/2018/04/30/technology/whatsapp-facebook-jan-koum.html. 


20 



Case l:19-cv-02184-TJK Document 24-1 Filed 10/16/19 Page 25 of 28 


Facebook should also end the practice of collecting personal data from individuals who 
are not in fact users of the service. In the absence of privity, the FTC has an additional obligation 
to correct business practices that are beyond the reach of market forces. 

C. A monetary penalty is not sufficient to address Facebook’s repeated privacy 
violations and will not protect Facebook users. 

The FTC’s substantial fine does not compensate for the lack of strong injunctive relief. A 
large monetary penalty is not sufficient to address Facebook’s repeated, systematic violations of 
the Consent Order and of Section 5. While a multi-billion-dollar fine may be large for the FTC, it 
is by no means unprecedented or even unexpected for a company of Facebook’s size. In the eight 
years since the FTC announced its original complaint and consent order against Facebook, the 
company’s revenue has increased more than 1000% from $5 billion to over $55. Facebook 
Revenue 2009-2019 \ FB , Macrotrends (2019). 22 As Commissioner Slaughter noted in her 
dissenting opinion, Facebook currently “brings in around $5 billion on a monthly basis.” 
Slaughter Dissent, supra, at 8. And there is no question that Facebook’s “ability to pay” a fine 
stretches well beyond $5 billion. Id. at 11. There is even significant circumstantial evidence that 
$5 billion is not sufficient to eliminate the financial benefits that Facebook “derived from the 
violations.” Chopra Dissent, supra, at 15-16. Facebook’s stock rose 5% when it disclosed the 
possibility of a $3-5 billion penalty in April 2019, Nick Stat, Facebook Sets Aside $3 Billion 
Ahead of Record FTC Fine Over Privacy Violations, The Verge (Apr. 24, 2019), 23 and its stock 
rose again when news reports confirmed the $5 billion penalty in July 2019. Rob Price, Why 


22 https://www.macrotrends.net/stocks/charts/FB/facebook/revenue. 

23 https://www.theverge.com/2019/4/24/18514805/facebook-q 1 -2019-earnings-ftc-record-fine- 
privacy-violations-3 -billion. 
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Facebook’s Stock Jumped Despite Facing a Record-breaking $5 Billion FTC Penalty: ‘A Slap 
on the Wrist’, Bus. Insider (July 12, 2019). 24 

Members of Congress have been outspoken critics of the settlement, arguing that the fine 
will not deter Facebook from future wrongdoing. Senators Edward Markey (D-MA), Richard 
Blumenthal (D-CT), and Josh Hawley (R-MO) wrote the FTC a letter that said: “It is clear that a 
$5 billion fine alone is a far cry from the type of monetary figure that would alter the incentives 
and behavior of Facebook and its peers.” Letter from Senators to FTC Chairman Simons and 
Commissioners Chopra, Phillips, Slaughter, and Wilson (July 16, 2019). 25 And House Antitrust 
Subcommittee Chairman David N. Cicilline (D-RI-01) said: “This fine is a fraction of 
Facebook’s annual revenue. It won’t make them think twice about their responsibility to protect 
user data.” Press Release, Cicilline Statement on Facebook Settlement (July 12, 2019). 26 

III. The Court Should Carefully Consider Comments of Amici as other Opportunities 

for Public Comment are Precluded in this Settlement Review 

As a matter of agency practice and regulation, proposed FTC Consent Orders are posted 
for comment a public record for 30 days along with “the order contained in the consent 
agreement, the complaint, and the consent agreement.” 16 C.F.R. § 2.34(c). EPIC, for example, 
has submitted many comments to the Commission regarding proposed settlements. See, e.g., 
EPIC, Comments to the FTC, In re: Uber Technologies, Inc., FTC File No. 152-3054 (May 14, 
2018); 27 EPIC, Comments to the FTC, In re: Paypal, Inc., FTC File No. 162-3102 (March 29, 

2018); 28 EPIC, Comments to the FTC, In re: Snapchat, Inc., FTC File No. 132 3078 (June 9, 


24 https://www.businessinsider.com/facebook-stock-rose-news-5-billion-ftc-settlement-why- 
critics-2019-7 

25 https://www.markey.senate.gov/download/ftc-facebook-settlement-letter-. 

26 https://cicilline.house.gov/press-release/cicilline-statement-facebook-settlement. 

27 https://epic.org/apa/comments/EPIC-FTC-Revised-Uber-Settlement.pdf. 

28 https://epic.org/apa/comments/EPIC-FTC-PayPal-ConsentOrder.pdf. 
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2014). 29 EPIC even filed extensive comments on the initial proposed Consent Order with 
Facebook. EPIC, Comments to the FTC, In re: of Facebook, Inc., FTC File No. 092 3184 (Dec. 
27, 2011). 30 In some instances, the Commission has incorporated EPIC’s recommendations on 
proposed settlements to the benefit of consumers. Decision and Order, In re: Uber Technologies, 
Inc., FTC No. 1523054 (Oct. 25, 2018). 31 

In this proceeding, however, the FTC has sidestepped the regulatory opportunity for 
EPIC other members of the public to comment on the proposed settlement. As a consequence, 
the submissions of amici provide the only opportunity for the concerns of the public to be 
considered prior to the approval of the consent order. As the Federal Trade Commission is a 
public agency, the Court must ensure that the interests of the public are protected. There is more 
than ample evidence that the proposed settlement fails this test. 

CONCLUSION 

For the foregoing reasons this Court should deny the parties’ Motion to Approve the 
Consent Judgment and remand the case to the Commission for further proceedings. 


29 https://epic. org/privacy/ftc/FTC-Snapchat-Cmts .pdf. 

30 https://epic.org/privacy/facebook/Facebook-FTC-Settlement-Comments-FINAL.pdf. 

31 https://www.ftc.gov/system/files/documents/cases/152_3054_c- 
4662_uber_technologies_revised_decision_and_order.pdf. 
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